So since some other people have posted some stuff on this exploit I figured I'd see what I could add. The first really cool thing I found (Thanks Arkaic:D)
was a script for nmap which checks for the vulnerability. If anyone is unfamiliar with the nmap scripting engine you are really missing out. Maybe if there is some demand we can do a write up on it later. So we need to check out a experimental branch on nmap in order to get the needed libraries for it to work. If your nmap breaks because of this its not my fault. Mine is fine so your should be as well. Ok here we go

Ok so all we did was rebuild nmap with a new branch. This actually gives us a bunch of new scripts to check out but for the sake of this post we will only use one. So now we can run a scan. The reason I searched this out is because the metasploit module to do the scan test (to my knowledge) only does one host at a time. I was looking to cover subnets if need be.

Ok so if you open up the exploit (which you should always do) and give it a quick read you will see there is a windows 2003 payload (#2) and a 2000 payload(#1) {thanks to TheX1le} so due to our scan results we are going to need 2003 so...

Well thats it for this post. If you found any of this info helpful please let me know and I will post more how to's on this type of thing otherwise just tell me I suck and I'll go back to moderating with a iron fist:D

Its sp3 xp machine with required port open, but maybe because it is sp3, it is not working. Perl script could be more intelligent, and give a message, payload was not successful or something of that nature.

11-29-2008, 08:18 PM

purehate

The exploit is only for windows server 2003 or 2000 which have not been patched in the last few months. The exploit is not mine. I merely used it to complete the post. Yes the error handling is pretty bad in the script but like I said I just borrowed it.

We can do the same with metasploit and the "old" nmap+db_autopwn, but with metasploit we can reach more targets, because is prepared to more windows languages.. ;)

btw, thanks, very nice post!

cheers!

11-30-2008, 07:17 PM

purehate

Quote:

Originally Posted by thebug

Very nice post Pure!

Just for info...

We can do the same with metasploit and the "old" nmap+db_autopwn, but with metasploit we can reach more targets, because is prepared to more windows languages.. ;)

btw, thanks, very nice post!

cheers!

I would never use autopwn in a real test situation. Its far to noisy. Also the "old" nmap as you put it does not do what this nmap script does. The script checks the port and then reports whether its vulnerable or not.

12-01-2008, 10:32 PM

Lammer

Great!

Very nice how-to pureh@te.
I think this kind of info its very very usefull.
Please keep sending them.

12-02-2008, 06:11 PM

anonymoususer

I was able to successfully sploit 3 windows XP SP2 boxes at school with this technique just today. I don't know about SP3 though

12-02-2008, 08:17 PM

ShadowKill

Quote:

Originally Posted by anonymoususer

I was able to successfully sploit 3 windows XP SP2 boxes at school with this technique just today. I don't know about SP3 though

With permission of course........:rolleyes:

12-03-2008, 12:30 PM

imported_johnjohnsp1

tested on XP Box with SP3 and worked as well , just for info reading the paper about that exploit says will work if the system is not patched with the windows update KB958644